Radio

Use Ubuntu Mate as a terminal server with Active Directory users

If you woke up this morning and said to your self “I'm looking for a good remote desktop connection to my Linux machine and can't find one that is both smooth and clear”, then you are in the right place. (Back by popular demand) Although I have already done several tutorials on the subject, I am going to show how it's done - all at once (and review the procedures to accommodate for the new software versions).

For this tutorial, I'll assume that your FQDN is sub.domain.local, and we will start with the XRDP friendly configuration by choosing Ubuntu MATE flavour.

Download and install Ubuntu MATE from their official page. It's always a good practice to update the newly installed OS, so update your Ubuntu Mate:

sudoapt-get updatesudoapt-get upgrade

Install XRDP on your Ubuntu mate

sudoapt-get install xrdp

If you use non standard keyboard (like I do) You will have to fix the keyboard mapping

Switch to the newly created directory, mark install.sh as executable and run it

sudochmod +x install.sh
sudo ./install.sh

Upon installation, if domainjoin-gui doesn't start automatically, start it by typing

sudo .//opt/pbis/bin/domainjoin-gui

Enter the FQDN in the first field, and click 'Join domain'

Provide the username and password of the user with the privileges to join computers into the specified domain and click OK

When complete, run 'sudo visudo' and add the your domain user to sudoers.

SUB\\username ALL=(ALL) ALL

PowerBroker Identity Services create a user directory on the linux system upon first login by that user. PBIS uses /etc/skel to create these new directories, so create a default .xsession file in /etc/skel, containing the desktop environment that the AD user will see upon first login. Simply create a .xsession file in /etc/skel with the following content:

mate-session

Xrdp uses PAM to authenticate logins, so in the directory /etc/pam.d , you will notice there is a xrdp-sesman link to sesman file. This file specifies how xrdp uses PAM to authenticate users.
The default one probably won't authenticate against AD, so you need to change it. Edit the xrdp-sesman file and replace the contents with the following:

The common-* files have all been altered when you installled PBIS to include the necessary bits to authenticate against AD.

Reboot the machine

Your Active Directory users can now log into the OS using the console, RDP or SSH. On the login screen, select 'other' and enter your AD credentials in a form SUB\username. XRDP (and SSH) should work in the same manner.